Sourabh Sarvotham Parkala created SOLR-14960:
------------------------------------------------
Summary: Solr-clustering is bringing in CVE-2018-10237 vulnerable
guava
Key: SOLR-14960
URL: https://issues.apache.org/jira/browse/SOLR-14960
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 8.6.3
Reporter: Sourabh Sarvotham Parkala
Hello Team, we find that Solr-Clustering module is bringing in a Vulnerable
library `org.carrot2.shaded:carrot2-guava:18.0`.
The vulnerability is
[CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
Severity: Medium
CVSS Score 5.9
[INFO] +- org.apache.solr:solr-clustering:jar:8.6.3:compile
[INFO] | +- com.carrotsearch.thirdparty:simple-xml-safe:jar:2.7.1:compile
[INFO] | +- org.carrot2:carrot2-mini:jar:3.16.0:compile
[INFO] | +- org.carrot2.attributes:attributes-binder:jar:1.3.3:compile
[INFO] | - org.carrot2.shaded:carrot2-guava:jar:18.0:compile
Hence, creating this BUG to request you to remove the dependency of Carrot2
from the Solr Module. As the last update from
[carrot2|https://mvnrepository.com/artifact/org.carrot2.shaded/carrot2-guava]
library seems to be in 2015. And we cannot be sure if they will release a new
version with the update guava library fix.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
